Hi, HAProxy 2.6.11 was released on 2023/03/17. It added 24 new commits after version 2.6.10. This is the equivalent of the 2.7.5 release, hence the similarly looking message.
This version primarily focuses on fixes: - The security researchers team "CertiK Skyfall Team" found a possible crash in the QPACK decoder used by HTTP/3 due to an insufficiently checked index causing an out-of-bounds read. - A recent fix for the idle connections was insufficient and/or incorrect, because it could result in a connection removal being counted twice, and the number of idle conns either growing a lot, or underflowing. The effect could be an excess of idle connections to a server possibly preventing new connections from establishing. - Upon reload, health checks were not properly stopped in pure backends, that was only done in listen sections because only proxies having listeners were stopped. This has been the case since 2.4 despite the doc, and resolvers experienced the same since 2.6. - Aurélien found that fc_dst_port() and fc_dst_is_local() could occasionally fail because a condition was placed on the ability to retrieve the source instead of the destination, so if the destination had already been retrieved it would work otherwise not. - Fred addressed a few possible QUIC crashes related to invalid stream frame lengths triggering assertions. - The H2 mux supports chaining multiple buffers at the connection level in order to store the data from many streams. However if a connection is severely congested, we could go back to the initial single-buffer situation where releasing a few kB of data would cause all waiting streams to be woken up, with only one of them succeeding in sending something. The symptoms are a lower H2 bit rate, a high CPU usage, an important presence of sc_conn_io_cb() in the run queue in "show tasks" (typically 90% of places) and 5-20 times more calls to sc_conn_io_cb() from h2_resume_each_sending_h2s() than other ones in "show profiling tasks". The correct way of proceeding consists in only restarting streams once the ring of connection buffers goes down to a single buffer. This also reduces memory usage under congestion. - The recent fix for multiple "bind fd@0" that could crash on start was finally backported. - The H2 mux was always sending its data using short SSL records, which explains why the performance was not as good as with HTTP/1. The reason is that the dynamic SSL records predates the muxes, and that the mechanism involved to use them was moved to the mux-H1 during the transition, without the mux-H2 being aware that there was something to be done. Now we continue to use small records when sending single buffers, but we use large records when sending more than one record, indicating large objects are being downloaded in parallel or that the link is congested. - The H2 mux could sometimes crash when detaching a stream on a congested connection with no client timeout. - Some rare bind errors on UNIX sockets were not correctly reported on startup. And there were a few tiny improvements as well: - the H2 traces can now dump H2 headers (useful for debugging) - a few more fields are printed in "show fd" Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.6/src/ Git repository : https://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Aurelien DARRAGON (4): BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local sample fetches BUG/MINOR: proto_ux: report correct error when bind_listener fails BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all() BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() Christopher Faulet (7): BUG/MEDIUM: proxy: properly stop backends on soft-stop BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop DEBUG: cli/show_fd: Display connection error code DEBUG: ssl-sock/show_fd: Display SSL error code BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in _h2_trace_header() BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend Frédéric Lécaille (2): BUG/MINOR: quic: Missing STREAM frame length updates BUG/MINOR: quic: Missing STREAM frame data pointer updates Willy Tarreau (11): BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it MINOR: buffer: add br_single() to check if a buffer ring has more than one buf BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data BUG/MEDIUM: listener: duplicate inherited FDs if needed MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers MEDIUM: mux-h2/trace: add tracing support for headers MINOR: trace: add a TRACE_ENABLED() macro to determine if a trace is active MINOR: trace: add a trace_no_cb() dummy callback for when to use no callback MINOR: trace: add the long awaited TRACE_PRINTF() BUG/MAJOR: qpack: fix possible read out of bounds in static table ---
